A newly formed OASIS Web Application Security Technical Committee will attempt to unite industry consensus and provide standards for classifying and responding to web security vulnerabilities. The specifications are designed to benefit both vendors and users. The TC will leverage and extend the work of the Open Web Application Security (OWASP) VulnXML project that has been established for over a year. The existing VulnXML work is being contributed to OASIS as part of the new TC proposal. According to the proposed charter, the WAS-XML technical committee will produce: (1) a classification scheme for web security vulnerabilities; (2) a model to provide guidance for initial threat, impact and therefore risk ratings; (3) an XML schema to describe web security conditions that can be used by both assessment and protection tools. The TC Chair is Mark Curphey. The first meeting of the technical committee will be held as a conference call on July 03, 2003.

From the Announcement

When security researchers and software vendors publish security
advisories, they usually do so in an ambiguous textual form or embed the
data into a proprietary data file that only works with their own
proprietary security tools. The same vulnerability can be (and often
is) described in several different ways, using different language and
context, quantifying the impact and threat and therefore the risk in
different ways and with different ratings assessments. This textual data
can also not be used to provide automated immediate protection by web
security assessment and intrusion protection tools.

[The Web Application Security Technical Committee] will liaise with the OASIS AVDL TC whose mission is to develop communication protocols for application security tools to integrate.
There is a clear distinction between the description of the data and
the subsequent inter-technology communication of it and given the
substantial work and thought already undertaken, the WAS-XML TC will
leverage that and focus on the data portion of this problem. The
proposers of this TC anticipate that the AVDL specification will consume
WAS-XML data.

"When security researchers publish security advisories or vulnerabilities, they either do so in an ambiguous textual form or using a proprietary data format for use in their tools. This net effect is that security data has become tightly coupled to specific tools and cannot easily be shared across different tools... The VulnXML will create an open standard format for web application security vulnerabilities only. Whilst we believe it could be extended to other classes of security problems, they are beyond the scope of this project... VulnXML aims to make free web application security knowledge available to everyone and anyone at the same time... The VulnXML format will be an open source and openly published standard XML document data type definition from which users can describe a particular security vulnerability in a web application in an unambiguous manner. The DTD will allow the security check developer or security researcher to describe enough meta-data about the vulnerability that an automated program could build an http request or series of requests to determine if the vulnerability exists on the system being tested... [As for] CVE and the Bugtraq databases: The common Vulnerabilities and Exposures (CVE) database and the Bugtraq database do an excellent job of capturing, recording and classifying security vulnerabilities. They are not, however, designed to capture sufficient information about a web application security vulnerability that would enable it to be automatically built into a check that a tool could use. We will be making every effort to reference CVE meta-data of any vulnerability we convert to the VulnXML format and have made provision in the initial data type definition..." [from the VulnXML Project Vision document]